Implements countermeasures against targeted cyberattacks after a breach

Overview

With two World Heritage sites, the Hiroshima Peace Memorial Dome and the Itsukushima Shrine, Hiroshima Prefectural Government is responsible for the core administration of a manufacturing prefecture which makes up the foundation of the Setouchi industrial region.

Challenges

Surrounded by an abundance of natural beauties such as Seto Inland Sea and the Chugoku Mountains, Hiroshima prefecture promotes itself as a tourist destination. For local government operations, Hiroshima Prefectural Government promotes the implementation of advanced IT systems, such as a paperless meeting system using tablet devices.

In general, it is critical for the local government to implement appropriate security countermeasures on their systems which handle the information of citizens. In regard to this point, Hirofumi Nishida of the Office of Administration and Management, Information Platform Group says that “we mainly manage the infrastructures of the systems for employees, and on these, a lot of applications which handle the information of our citizens are running. Because the data is transmitted on these infrastructures, security countermeasures are still critical there.” Accordingly, they had secured their business PCs and IT systems through implementing countermeasures such as antivirus and firewalls.

However, in April 2012, Hiroshima Prefectural Government experienced a situation. They allowed a threat to get into their environment via a targeted mail attack aimed at the local government. Specifically, the Prefectural Board of Education received four emails entitled “Regarding the extension of measures against North Korea”. Although a notification from the Ministry of Internal Affairs and Communications urging caution about suspicious emails disguised as information regarding North Korea was received directly afterwards, two employees had already opened the file that was attached to the email.

They immediately inspected the communication logs. Although swift cleanup prevented any expansion of damage, they found a sign of a connection made by encrypted backdoor connection toward addresses in China.

"In order to prevent a re-occurrence, it was critical to create a situation in which we could regularly confirm the status of communication on the network, and detect and cleanup threats quickly should an invasion occur."

“There was only one instance of connection. We publicly announced that judging from changes in the amount of traffic, it was difficult to imagine that important information had leaked,” says Nishida. On the other hand, it was also a fact that just through analyzing the firewall and proxies, it was impossible to definitively specify any evidence that “there was no real harm”. “In order to prevent a re-occurrence, it was critical to create a situation in which we could regularly confirm the status of communication on the network, and detect and cleanup threats quickly should an invasion occur. At the same time, we also felt that logs remaining as evidence were essential,” says Akitoshi Murakawa, also of the Information Platform Group.

Solution

The Hiroshima Prefectural Government started to working on countermeasures focusing on “C&C communication” to monitor backdoor communications and “Lateral movement” to monitor internal activities inside of its network.

“In the investigation we proceeded with to update our backbone network, we decided to add one requirement, ‘visualizing communications in in real time’,” says Hitoshi Okano of the Information Platform Group, looking back.

While they reviewed the proposals of each vendor, they actually had several systems operated to examine them. In the end, they chose Trend Micro’s Deep Discovery Inspector™ (DDI), which detects threats via three methods - static analysis, dynamic analysis and behavioral analysis. Okano explains the reason for the selection: “During the two week test, we really realized that DDI could visualize detailed events, such as ‘access using network sharing’ and ‘evidence of failed logins’. Additionally, because reports such as event logs and risk levels could also be created and output in our language, Japanese, we could quickly utilize them as evidence when an incident occurs. This is exactly what we were looking for.”

Furthermore, they had been using OfficeScan™ Corporate Edition as antivirus for thweir business PCs. From the perspective of operational control, the advantages of consolidating security solutions with products of the same vendor also supported the adoption of DDI.

"Although it is quite difficult to recognize cases such as those which involve redirection to a malicious website, DDI can visualize these malicious links and notifies us."

Moreover, they also adopted the security operation management support Trend Micro Premium Support Program (PSP) at the same time. It provides swift recovery assistance upon incidents, malware sample analysis, and emergency virus pattern files upon new or variant virus occurrence, in addition to the security operation management support of the implemented Trend Micro products. They aimed at further reinforcing their security against targeted cyber attacks to adopt this support.

Results

Hiroshima Prefectural Government now connects DDI to a mirror port of core switches to which their internal LAN is consolidated, and monitors the Internet access of each employee. Furthermore, they established an environment in which they could monitor every system and file server within the LAN.

Thanks to DDI solutions, Hiroshima Prefectural Government now lowers a various risks of targeted cyber attacks.

For example, in recent years, techniques in which websites infected with malicious programs spread the infection by leading those who click a URL to a malicious website have been increasing. “Although it is quite difficult to recognize cases such as those which involve redirection to a malicious website, DDI can visualize these malicious links and notifies us,” says Murakawa.

Communication status can be confirmed in real time via the DDI dashboard. A system engineer stationed in their site handles daily operations. Though their basic operation is to verify daily reports the following business day, they could receive an email notification immediately when some emergent events, such as suspicious access to a file server are detected. These are collected and verified in a monthly report. Moreover, with PSP, they established flexible operational management system which enabled them to track and deal with problems quickly when suspicious behavior is identified.

"The great sense of security that we have obtained from DDI which visualizes threats and prevents them in advance, together with the 24/365 operation of the PSP is the greatest accomplishment. We are extremely satisfied."

“We don’t know when an incident will occur. But the great sense of security that we have obtained from DDI which visualizes threats and prevents them in advance, together with the 24/365 operation of the PSP is the greatest accomplishment. We are extremely satisfied,” says Nishida, in conclusion.